SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

WordPress XSS under function wp_title()


Arrow  SecurityAlert : 2526
Arrow  CVE : CVE-2007-1894
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : No
Arrow  Credit : g30rg3_x
Arrow  Published : 10.04.2007

Arrow  Affected Software : WordPress



Arrow  Advisory Content :  

_____________
ChX Security |
Advisory #1 |
=============

-> "WordPress XSS under function wp_title()" <-

______
Data |
======
Author: g30rg3_x <g30rg3x_at_gmail_dot_com>
Program: WordPress <http://wordpress.org/>
Severity: Less Critical.
Type of Advisory: Mid Disclosure.
Affected/Tested Versions:
-> Series 2.0.x: <= 2.0.10-alpha
-> Series 2.1.x: <= 2.1.3-alpha
-> Series SVN latest: <= 2.2-bleeding (Revision 5002)

____________________
Program Description |
====================
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.
What a mouthful. WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

_________
Overview |
=========
The query variable "year" inside the function "wp_title", its not
sanitized
so it allows a non persistent cross site scripting attack.

___________
WorkAround |
===========
$title takes the value in raw (without any type of filter) of $year which
is an
a query variable, that can be filled with any web browser via a simply
GET parameter.

________________
Proof Of Concept|
================
ChX Security will not release any proof of concept.

____________
Solution/Fix|
============
The lastest SVN Revision (greater than revision 5002) has alredy fixed
this bug...
http://trac.wordpress.org/changeset/5003

For series 2.1.x and 2.0.x, the vendor will fix this in the next set
of dot releases.

______
Dates |
======
Bug Found: 2/03/2007
Vendor Contact: 3/03/2007
Vendor Response: 7/03/2007
Public Disclosure: 9/03/2007
_______
Shouts |
=======
Paisterist, NitRic, HaCkZaTaN, PescaoDeth, alex_hk23 and all mexican white
hats.
White Hat Powa.

ChX Security
http://chxsecurity.org/
(c) 2007

--
Copy: http://chxsecurity.org/advisories/adv-1-mid.txt
_________________________
g30rg3_x





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...

Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration

PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

Copyright © SecurityReason.com. All Rights Reserved.